How to protect yourself, your coworkers, and your patients.
Takeaways:
- Healthcare data breaches reached record levels in April 2019, with 44 attacks affecting nearly 687,000 people.
- Security breaches can lead to serious consequences, including complete system or network shutdown and life-and-death situations.
- Much like we encourage patients to practice good personal hygiene to promote health and well-being, healthcare organizations and nurses must practice good cyber hygiene.
Cybersecurity has become a pressing issue in healthcare organizations. Each year, more organizations are targeted by individuals who want to gain access to protected health information (PHI) to file false insurance claims, buy medical equipment, and order prescription drugs. Healthcare data breaches reached record levels in April 2019, with 44 attacks affecting nearly 687,000 people.
Healthcare cybersecurity defends computers, servers, wearables, medical devices, and electronic health records and other sources of PHI from malicious attacks. Nurses who learn about cybersecurity, are aware of threats, remain alert to them, and are familiar with mitigation and incident response can help protect patients and organizations.
Consequences of cyberattacks
Security breaches can lead to serious consequences, including complete system or network shutdown and life-and-death situations. For example, a hacked insulin pump could increase the insulin delivery rate, leading to severe complications or death. An experienced hacker can exploit vulnerable computer networks in minutes, but recovery from cyberattacks can take years, damaging an organization’s reputation, future business, and short- and long-term finances. Patients who are victims of medical theft will lose hours of work and productivity while they try to restore and secure their stolen information. Many victims suffer emotionally and financially, and fear of future attacks can result in anxiety and stress. And if the breach was internal (perpetrated by an employee), morale in the workplace could be affected.
Types of attacks
Hackers gain access to devices physically and virtually. Physical access is acquired by stealing portable devices or accessing computers in public areas using stolen credentials.
Virtual access occurs when hackers send phishing and spear-phishing emails via networks to seek out personal information such as usernames and passwords. The emails, many of which appear credible, may contain embedded links that recipients are asked to click on.
Another form of virtual access is a ransomware attack. Hospital operations have been shut down by these attacks, which invade network systems, encrypt data, take control of the system and lock it down, and then demand a ransom to decrypt the data. Paying the ransom doesn’t ensure data restoration.
Cyber hygiene
Much like we encourage patients to practice good personal hygiene to promote health and well-being, healthcare organizations and nurses must practice good cyber hygiene. Think of protecting PHI as primary prevention, conducting risk assessments and performing regular maintenance as secondary prevention, and stabilizing and restoring systems after a cyberattack as tertiary prevention.
In 2018, the National Institute of Standards and Technology (NIST) developed a framework that can be used by any business, including healthcare organizations, to improve security and resistance against cyberattacks. The framework provides structural guidance that organizations can use to develop an individualized cybersecurity risk plan. (See Building a security framework.) Organizations can use the nursing process to design comprehensive reviews that allow nurses to collect the information necessary to complete, implement, evaluate, and revise the NIST framework profile.
The National Institute of Standards and Technology (NIST) cybersecurity framework consists of three parts: core, implementation tiers, and profile.
- The framework core comprises five functions that provide a set of desired cybersecurity activities and outcomes using common language that is easy to understand:
- identify—develop a broad overview of how the organization would manage a cyberattack
- protect—create and implement alternative systems to safeguard critical functions should a cyberattack occur
- detect—put activities in place for early identification of a cybersecurity event
- respond—develop mitigation and incident response and implementation plans
- recover—determine actions that may be required if a cyberattack occurs, including restoring systems.
- The framework implementation tiers provide organizations with an overall view of their cybersecurity risk and the plan they have in place to manage it.
- The framework profile helps organizations evaluate their plan and risk considerations against the desired outcomes described in the core. The profile can be used to identify areas for improvement.
Assess
Formal and informal risk assessments conducted by a team of nurses and members of the information technology (IT) and health informatics staff should include an inventory of hardware (computers, connected devices, and mobile devices), software (all programs installed on the network and used by everyone), applications, and data storage (onsite, off-site, and cloud storage). The assessment should review how staff are currently trained on cybersecurity awareness and cyber hygiene best practices. In addition, the assessment should look for vulnerabilities at all levels and include interviews with nurses about their cybersecurity awareness, understanding of potential threats, and current knowledge, attitudes, and behaviors related to cybersecurity practices.
Finally, the assessment should include a formal review of the organization’s cybersecurity and cyber hygiene policies and procedures. (See Protection review.)
Healthcare organizations should have formal cybersecurity policies and procedures related to acceptable use, security awareness, information security, disaster recovery, change management, incident response, remote access, personal devices, vendor access, and data backup.
- Acceptable use details the purpose of work computers and employee networks.
- Security awareness describes how an employee’s actions on the network may affect security and the privacy of others, as well as the personal health information housed in the network.
- Information security provides information about data risk management and whom to contact for information technology security issues.
- Disaster recovery provides step-by-step details of the mitigation plan to reduce the severity of the impact of a threat or attack.
- Change management informs employees about who will install updates and how they’ll be notified about scheduled maintenance.
- Incident response contains step-by-step details about how the organization responds to a cybersecurity breach, including information about preparation, detection, analysis, containment, eradication, recovery, and postincident activity (for example, how well the team responded to the crisis and how quickly it secured the organization).
- Remote access explains the necessary safeguards required if the network must be accessed remotely, including virtual private network use and two-factor authorization.
- Personal device provides explicit guidelines for employees’ personal devices—laptops, tablets, smartphones, and USB drives—that are used for work.
- Vendor access determines how much access to the network vendors will be permitted and how they must access it.
- Data backup clarifies where data is stored, who has privileges to back up data, and how often data should be backed up.
Diagnose
After the risk assessment is completed, the chief information officer or administrative leadership team should make a determination about the risk for a cyberattack and present recommendations. Based on these recommendations, changes may include removing outdated hardware, patching or removing software programs, writing policies and procedures, improving the current education program, developing a mitigation plan, consistently backing up data, and increasing annual employee training. An organization also may want to consider purchasing cybersecurity insurance. HealthITSecurity.com reported that on average it takes $1.4 million to recover from a cyberattack. Cyber insurance can help organizations cover some of the costs incurred during a breach; however, policies may not cover all expenses, including replacing or repairing equipment damaged during attacks or subsequent litigation.
Helpful training includes recognizing and avoiding phishing scams, practicing good password management, following safe internet practices, and increasing device safety.
Mitigate
Even an initially small breach can eventually involve thousands of patients, making a mitigation plan important. Sometimes a breach can be solved easily by shutting down a group of computers on one unit, but other times a more complicated solution—such as turning away patients and temporarily closing—may be required.
The quicker a problem is reported, the less damage will occur to the organization, so most mitigation plans require staff to immediately report an incident to the IT department. Mitigation plans should be followed exactly, and they require educating staff about the Health Insurance Portability and Accountability Act breach notification rule, 45 CFR §§ 164.400-414, which requires that healthcare organizations notify individuals who are affected by a breach no later than 60 days after the occurrence. In some cases (for example, if more than 500 residents of one state are affected by a breach), organizations are required to notify media outlets and the secretary of the Department of Health and Human Services. Organizations also need to be aware of and follow any state requirements for reporting breaches.
Implement
The goal of implementing a cybersecurity plan is to protect PHI. Similar to event drills for bioterrorism, active shooter, or mass casualties, mock cybersecurity exercises help organizations conduct a variety of scenarios and evaluate their preparedness for an attack. During the mock exercise, participants follow the incident response plan to understand their roles in the event of an attack and practice their response. The organization also will be able to determine how well it responds to a crisis and secures information.
Evaluate
A formal evaluation should be conducted immediately after a mock exercise or an actual cyberattack to determine what parts of the plan worked and what parts didn’t. The evaluation may reveal areas of strength and weakness, as well as lessons learned. Ultimately, the organization should incorporate changes to ensure it’s always prepared and remains aware of and follows security best practices.
Be prepared
Cyberattacks are increasing in frequency and severity. Being aware of the most common attacks will improve nurses’ abilities to recognize, avoid, and respond to them. And a framework that guides developing a cybersecurity risk plan specific to nursing will give nurses a better understanding of how to protect themselves, their coworkers, the organization, and their patients.
Marti Jordan is a visiting assistant professor at the University of Southern Mississippi School of Leadership and Advanced Nursing Practice in Hattiesburg, Mississippi.
References
Cohen JK. Healthcare data breaches reach record high in April. Modern Healthcare. May 10, 2019. modernhealthcare.com/cybersecurity/healthcare-data-breaches-reach-record-high-april
Davis J. What is cyber insurance for healthcare organizations? HealthITSecurity.com. February 5, 2019. healthitsecurity.com/features/what-is-cyber-insurance-for-healthcare-organizations
Gupta BB, Tewari A, Jain AK, Agrawal DP. Fighting against phishing attacks: State of the art and future challenges. Neural Comput Appl. 2017;28(12):3629-54.
Kruse CS, Frederick B, Jacobson T, Monticone DK. Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol Health Care. 2017;25(1):1-10.
Lötter A, Futcher LA. A framework to assist email users in the identification of phishing attacks. Information & Computer Security. 2015;23(4):370-81.
National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. April 16, 2018. nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Spence N, Bhardwaj N, Paul DP, Coustasse A. Ransomware in healthcare facilities: A harbinger of the future? Perspect Health Inf Manag. 2018;Summer:1-22. perspectives.ahima.org/ransomwareinhealthcarefacilities
Stafford T. Tackling healthcare cybersecurity with risk identity, assessment [webinar]. Xtelligent Healthcare Media. vimeo.com/359520062
U.S. Department of Health and Human Services. Health information privacy: Breach notification rule. July 26, 2013. hhs.gov/hipaa/for-professionals/breach-notification/index.html